Overview

overview

10

Static

static

8

TAX.xlsb

windows7-x64

10

TAX.xlsb

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TAX.xlsb

  • Size

    10KB

  • Sample

    230403-atghpsdb7y

  • MD5

    1e1afc93c8092b2c7e49a6d3a451629f

  • SHA1

    081d3ab46a0641d952ca28eacc6d4ef3516fdfd0

  • SHA256

    ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c

  • SHA512

    5ca2f6827fc93c7645660d3f787c1d074596ecd90b5b7c03748f46def274dc1d4edb931251202a9c50fb925ba2c9dda855cd42a0c90d7c313f24aaa93823150d

  • SSDEEP

    192:F5ssEP3p0o7VhgmK05bVhvtrWNpUAWvXSRo1jdF:3ssGZ0o7VhVK+hvwNmvV

Score
10/10
macroxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://kilolo.site/raw.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://kilolo.site/raw.txt

Extracted

Language
hta
Source
URLs
hta.dropper

http://37.72.175.188:80/home

Targets

    • Target

      TAX.xlsb

    • Size

      10KB

    • MD5

      1e1afc93c8092b2c7e49a6d3a451629f

    • SHA1

      081d3ab46a0641d952ca28eacc6d4ef3516fdfd0

    • SHA256

      ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c

    • SHA512

      5ca2f6827fc93c7645660d3f787c1d074596ecd90b5b7c03748f46def274dc1d4edb931251202a9c50fb925ba2c9dda855cd42a0c90d7c313f24aaa93823150d

    • SSDEEP

      192:F5ssEP3p0o7VhgmK05bVhvtrWNpUAWvXSRo1jdF:3ssGZ0o7VhVK+hvwNmvV

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

1
T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks